Encrypt webhook with secret key or similar

[danielcharrua]

Hey! We are working on some payment solution involving Phoenixd on online stores but we realize that the webhook data is plain and opened (not secured in any way)...

Usually notification webhooks had some shared encryption key that both, the server and the online store know to open the data. The data travels encrypted. Actually, if an attacker knows the webhook endpoint they can attack the online store making payments as fulfilled when they are not.

The online store has no way to prove that the request is legit from phoenixd server. Maybe generating a secret key on phoenixd and making the data to travel encrypted, and then opened by the online store will make the request legit. Stripe and BTCPay Server use them.

Have you something in mind to implement in a near future? Would be nice to have this feature.

Thank you!

[pm47]

That is a great point, we should support this. I'm assuming you mean signed, not encrypted.

What language are you using in your backend? Did you consider using websocket for notifications, which would remove the issue?

[pm47]

Gave it a shot in #34.

[pm47]

Released in https://github.com/ACINQ/phoenixd/releases/tag/v0.1.5.

[danielcharrua]

Hey @pm47

You are right, meant signed not encrypted!
We are planning to release a Payment Gateway for WooCommerce stores (PHP backend).

WooCommerce Payment Gateways expose an endpoint to ckeck the payment has arrived. Usually all payment platforms use webhooks to talk to this endpoint, firing actions on payment ok, fail, refused, etc.

Thank you for the #34 will try and let you know!

Talking about the websocket now, is there a possibility to open a websocket connection for a particular invoice and not all invoices? This will help notifications in the frontend for the buyer, getting only the invoice and not all other invoices.

[pm47]

Talking about the websocket now, is there a possibility to open a websocket connection for a particular invoice and not all invoices?
This will help notifications in the frontend for the buyer, getting only the invoice and not all other invoices.

We could add some filtering, but if your idea is for the client browsers to directly call phoenixd websocket endpoint, we strongly advise against it. It is meant as a replacement for wehooks and should be called only from your server. The phoenixd api must not be accessible from the outside world.

We have this exact use case in our demo website https://starblocks.acinq.co/. The starblocks website uses websocket do get notifications from phoenixd, and exposes a websocket endpoint itself, with filtering, that is meant for browsers:

                                 +---+
+---+                            | S |                            +---+
| B |                            | T |                            | P |
| R |                            | A |                            | H |
| O |                            | R |                            | O |
| W | --- public websocket --->  | B | --- private websocket ---> | E |
| S |                            | L |                            | N |
| E |                            | O |                            | I |
| R |                            | C |                            | X |
+---+                            | K |                            | D |
                                 | S |                            +---+
                                 +---+